Journals

Deductive software verification, also known as program proving,
expresses the correctness of a program as a set
of mathematical statements, called verification conditions. They are
then discharged using either automated or interactive theorem
provers. We briefly review this research area, with an emphasis on
tools.

The fused multiply accumulate-add (FMA) instruction,
specified by the IEEE 754-2008 Standard for
Floating-Point Arithmetic, eases some calculations,
and is already available on some current processors
such as the Power PC or the Itanium. We first extend
an earlier work on the computation of the exact
error of an FMA (by giving more general conditions
and providing a formal proof). Then, we present a
new algorithm that computes an approximation to the
error of an FMA, and provide error bounds and a
formal proof for that algorithm.

Lucy-n is a dataflow programming language similar to Lustre
extended with a buffer operator. This language is based on the
n-synchronous model which was initially introduced for programming
multimedia streaming applications. In this article, we show that
Lucy-n is also applicable to model Latency Insensitive
Designs (LID). In order to model relay stations, we have to
introduce a delay operator. Thanks to this new operator, a LID can be
described by a Lucy-n program. Then, the Lucy-n compiler
automatically provides static schedules for computation nodes and
buffer sizes needed in the shell wrappers.

Why3 is the next generation of the
Why software verification platform.
Why3 clearly separates the purely logical
specification part from generation of verification conditions for programs.
This article focuses on the former part.
Why3 comes with a new enhanced language of
logical specification. It features a rich library of
proof task transformations that can be chained to produce a suitable
input for a large set of theorem provers, including SMT solvers,
TPTP provers, as well as interactive proof assistants.

For critical software development, containers such as lists, vectors, sets or
maps are an attractive alternative to ad-hoc data structures based on
pointers.
As standards like DO-178C put formal verification and testing on an equal
footing, it is important to give users the ability to apply both to the
verification of code using containers.
In this paper,
we present a definition of containers whose aim is to facilitate their
use in certified software, using modern proof technology and novel
specification languages. Correct usage of containers and user-provided
correctness properties can be checked either by execution during testing
or by formal proof with an automatic prover.
We present a formal semantics for containers and an axiomatization of this
semantics targeted at automatic provers. We have proved in Coq that the
formal semantics is consistent and that the axiomatization thereof is
correct.

We present Functory, a distributed computing library for
Objective Caml. The main features of this library
include (1) a polymorphic API, (2) several implementations to
adapt to different deployment scenarios such as sequential,
multi-core or network, and (3) a reliable fault-tolerance mechanism.
This paper describes the motivation behind this work, as well as
the design and implementation of the library. It also demonstrates
the potential of the library using realistic experiments.

Hybrid modelers such as Simulink have become corner stones of embedded
systems development.
They allow both discrete controllers and their continuous
environments to be expressed in a single language.
Despite the availability of such tools, there remain a number of issues
related to the lack of reproducibility of simulations and to the
separation of the continuous part, which has to be exercised by a
numerical solver, from the discrete part, which must be guaranteed not to
evolve during a step.

Starting from a minimal, yet full-featured, Lustre-like synchronous
language, this paper presents a conservative extension
where data-flow equations can be mixed with ordinary differential
equations (ODEs) with possible reset.
A type system is proposed to statically distinguish discrete computations
from continuous ones and to ensure that signals are used in their proper
domains.
We propose a semantics based on non-standard analysis which gives a
synchronous interpretation to the whole language, clarifies the
discrete/continuous interaction and the treatment of zero-crossings, and
also allows the correctness of the type system to be established.

The extended data-flow language is realized through a source-to-source
transformation into a synchronous subset, which can then be compiled using
existing tools into routines that are both efficient and bounded in their
use of memory.
These routines are orchestrated with a single off-the-shelf numerical
solver using a simple but precise algorithm which treats causally-related
cascades of zero-crossings.
We have validated the viability of the approach through experiments with
the SUNDIALS library.

We formally prove the C program that implements a simple numerical scheme for the resolution of the one-dimensional acoustic wave equation. Such an implementation introduces errors at several levels: the numerical scheme introduces method errors, and the floating-point computation leads to round-off errors. We formally specify in Coq the numerical scheme, prove both the method error and the round-off error of the program, and derive an upper bound for the total error. This proves the adequacy of the C program to the numerical scheme and the convergence of the effective computation. To our knowledge, this is the first time a numerical analysis program is fully machine-checked.